PT-2022-17948 · Liferay · Liferay Portal+1

Published

2022-04-19

Updated

2024-01-31

CVE-2022-26595

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.7 through 7.4.1 Liferay DXP versions 7.2 fix pack 13 through 7.3 fix pack 2

Description The issue arises from improper user permission checks when accessing a list of sites or groups. This allows remote authenticated users to view sites or groups via the user's site membership assignment UI.

Recommendations For Liferay Portal versions 7.3.7 through 7.4.1, consider restricting access to the site membership assignment UI until a patch is available. For Liferay DXP versions 7.2 fix pack 13 through 7.3 fix pack 2, consider disabling the site membership assignment feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

BIT-LIFERAY-2022-26595

CVE-2022-26595

GHSA-822F-JFPG-HG7H

Affected Products

Liferay Dxp

Liferay Portal

PT-2022-17948 · Liferay · Liferay Portal+1

CVE-2022-26595

Weakness Enumeration

Related Identifiers

Affected Products

References · 12